Thursday, June 25, 2015

pita bread trickery

As can be read here, its known since quite some time that theCPU is emitting frequencies upon operation which containsenough "signature" so that crypto keys may berecovered. This happens namely during RSA decryptionand signing operations. As this is a public paper usingpublic available SDRs and thinking 20years ahead, theresgood chance that there are setups today with antennas and sufficient DSP computing power that may recover keys from a far larger distance than just the mentioned 50cm.What does that mean for opmsg?

In the new version (1.3), I enabled RSA-blinding during decryption and signing. During "normal operation" due to the DH keys in use, there should be no attack surface. In the worst casethe attacker just recovers the private half of the DH key ofhis own specially crafted message.Further, opmsg verifies integrity of the sender before any decryption so you cant decrypt specially crafted messages (as required in the paper) from strangers who hope to capturesignals once the message is processed.Its already recommended (and easy to setup) to use a dedicated persona for each peer. If you follow that guideline, evenw/o RSA blinding the attacker can just decrypt his own messages.What else is new? o The use of RSA-fallback mode can now be seen in output o it is possible to --burn keys (only use once)